Add analytics. Invert gitignore

Add links to other repos
Some comments
2021-12-04 23:13:12 +01:00 · 2021-09-05 16:22:51 +02:00 · 2021-09-03 10:59:26 +02:00 · 2021-08-21 23:29:17 +02:00 · 2021-08-21 23:14:25 +02:00 · 2021-08-21 23:10:46 +02:00
7 changed files with 233 additions and 92 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,10 @@
-traefik/acme.json
-traefik/certs/
-traefik/traefik.log
+**/*
+!.gitignore

-authelia/db.sqlite3
-authelia/notification.txt
-authelia/users_database.yml
+!README.md
+!docker-compose.yaml
+
+!traefik/traefik.yaml
+!traefik/config/*
+
+!authelia/configuration.yaml
--- a/README.md
+++ b/README.md
@@ -2,17 +2,71 @@

 Configuration for traefik 2 and authelia

+## Environment variables

-### Authelia preprocessor
-The authelia configuration contains some sensitive values, but authelia cannot read them from env variables like traefic can.
-Instead, a special service - `authelia-config` runs before authelia start, and preprocesses the configuration file.
+This setup uses two global environment variables: `PRIVATE_DOMAIN` and `PUBLIC_DOMAIN`. Those are two registered domain names I use for public and private services.

- Local file `./authelia/configuration.yaml` is mapped to `/data/input` in `authelia-config`
- Volume `authelia-config` is mapped to `/data/output` in `authelia-config`
- `authelia-config` runs `gomplate` on `/data/input` and saves to `data/output/configuration.yaml`
- Volume `authelia-config` is mapped to `/etc/authelia` in `authelia`, where it reads its configuration
+There is also an `.env` file which defines a few more variables:
+```
+AUTHELIA_JWT_SECRET=...
+AUTHELIA_SESSION_SECRET=...
+AUTHELIA_SESSION_DOMAIN=...
+AUTHELIA_TOTP_ISSUER=...
+TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL=...
+```
+
+The value of those depend on your setup and can be found in the Traefik and Authelia documentation.
+
+## Networks
+For the docker setup of my home server, I have create four specific docker networks
+
+### LAN
+A macvlan network with full network and internet access
+Containers on this network will be provided an IP on my local home LAN and have direct access to it as if they were using the Host network setting.
+
+Containers get IPs in the range 192.168.1.128-192.168.1.254
+
+```
+subnet: 192.168.1.0/23
+range: 192.168.1.128/25
+gateway: 192.168.0.1
+parent: eno1
+```
+
+### IOT
+A macvlan set to my VLAN for IOT things. Machines on this do not have access to the LAN or to the internet, with a few exceptions (ex. NTP server access).
+
+Containers get IPs in the range 192.168.2.9-192.168.2.127
+
+```
+subnet: 192.168.2.0/24
+range: 192.168.2.0/25
+gateway: 192.168.2.1
+parent: eno1:10
+```
+
+### GUEST
+A macvlan set to my VLAN for guest WIFI. Machines on this have access to the internet, but not to the local LAN.
+
+```
+subnet: 192.168.5.0/24
+range: 192.168.5.0/26
+gateway: 192.168.2.1
+parent: eno1:20
+```
+
+### WEB
+A bridge network for containers that shall be accessible by web interface. Routed by Traefik.

 ## Lessons learned

 - Authelia will ONLY work with https. Both the authelia url itself and the one being authenticated must be https.
 - The authorization link should NOT end with `/#/` or `/%2F/` or anything, just `/`. Otherwise it will not redirect you back after authorizing.
+
+
+# Docker-compose pieces that depend on this
+
+- [SSH entrypoint](/thomas/docker-ssh/)
+- [Home Automation](/thomas/docker-ha/)
+- [GIT server](/thomas/docker-git/)
+- [Plex media server](/thomas/docker-plex/)
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -1,42 +1,38 @@
-host: 0.0.0.0
-port: 9091
-logs_level: trace
-jwt_secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-jwt-secret
+# log:
+#   level: debug
+
+theme: auto
 authentication_backend:
  file:
-    path: /opt/authelia/users_database.yml
+    path: /config/users_database.yml

-    # {{ env.Getenv "ROOT_DOMAIN" }}
 session:
-  name: authelia_session
-  secret: {{ env.Getenv "PRIVATE_DOMAIN" }}-token-secret
-  domain: {{ env.Getenv "PRIVATE_DOMAIN" }}
-  expiration: 604800
-  inactivity: 300
+  # domain: SET BY ENV VARIABLE AUTHELIA_SESSION_DOMAIN
+  # secret: SET BY ENV VARIABLE AUTHELIA_SESSION_SECRET

 storage:
  local:
-    path: /opt/authelia/db.sqlite3
-
-totp:
-  issuer: {{ env.Getenv "PRIVATE_DOMAIN" }}
+    path: /config/db.sqlite3

 access_control:
  default_policy: two_factor
+  networks:
+    - name: internal
+      networks:
+        - 10.0.0.0/8
+        - 172.16.0.0/12
+        - 192.168.0.0/18

  rules:
-    - domain: "*"
+    # Allow free access from local network
+    - domain:
+      - "*.se"
+      - "*.com"
      networks:
-        - 192.168.1.0/23
+        - internal
      policy: bypass

-
-regulation:
-  max_retries: 5
-  find_time: 120
-  ban_time: 180
-
 notifier:
  filesystem:
-    filename: /opt/authelia/notification.txt
+    filename: /config/notification.txt

--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -1,90 +1,150 @@
-version: "3.5"
+version: "2.4"

 networks:
  web:
-    # All containers that are router through traefik needs to be on this network
-    external: false
-    name: web
-
-volumes:
-  authelia-config:
-    # Used for pre-processing of authelia configuration
+    # All containers that are routed through traefik needs to be on this network
+    external: true

 services:
-  proxy:
-    container_name: traefik
-    image: traefik:v2.1
+
+  # Autheal will restart any container that has the label
+  # autoheal: true
+  # and fail their healthcheck
+  autoheal:
+    container_name: autoheal
    restart: always
+    image: willfarrell/autoheal
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+
+  # Traefik reverse proxy. Routes http and ssh trafic to the righ containers
+  # Controlled by container labels, see bottom of this compose file
+  traefik:
+    container_name: traefik
+    image: traefik
+    restart: always
+    depends_on:
+      - authelia
    environment:
      - EMAIL
      - PRIVATE_DOMAIN
      - PUBLIC_DOMAIN
+      - TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL
    networks:
-      - web
+      web:
+        ipv4_address: 172.18.1.2
    command:
      - "--configFile=/data/traefik.yaml"
-    ports: 
+    ports:
      - 80:80
      - 443:443
      # Open port 8080 for debugging emergencies
-    # - 8080:8080
+      - 8080:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik:/data
+      - /var/log/traefik:/log
+    healthcheck:
+      # Sometimes, traefik loses connection to authelia. The only thing that works then is a restart, handled by autoheal.
+      # I haven't checked for quite a while if this is still a problem, but might as well leave it in there.
+      test: ["CMD", "wget", "-O", "-", "authelia:9091/api/state"]
    labels:
      traefik.enable: true
      traefik.http.services.traefik.loadbalancer.server.port: 8080
-
      traefik.http.routers.traefik.rule: Host(`traefik.${PRIVATE_DOMAIN}`)
      traefik.http.routers.traefik.middlewares: auth@file
      traefik.http.routers.traefik.tls.certResolver: le
+      autoheal: "true"

-  authelia-config:
-    # Preprocess authelia configuration through gomplate
-    image: hairyhenderson/gomplate
-    environment:
-      - PRIVATE_DOMAIN
-      - PUBLIC_DOMAIN
-    volumes:
-      - ./authelia/configuration.yml:/data/input:ro
-      - authelia-config:/data/output
-    command: '--file=/data/input --out=/data/output/configuration.yml'
+  # Authelia handles access control with 2FA
  authelia:
    container_name: authelia
    image: authelia/authelia
    restart: always
-    depends_on:
-      # config preprocessor should run first
-      - authelia-config
    volumes:
-      - ./authelia:/opt/authelia
-      - authelia-config:/etc/authelia/
+      - ./authelia:/config
    environment:
-      - ENVIRONMENT=dev
+      # - ENVIRONMENT=dev
      - NODE_TLS_REJECT_UNAUTHORIZED=1
+      - AUTHELIA_JWT_SECRET
+      - AUTHELIA_SESSION_SECRET
+      - AUTHELIA_SESSION_DOMAIN
+      - AUTHELIA_TOTP_ISSUER
+      - TZ=Europe/Stockholm
    networks:
-      - web
+      web:
+    healthcheck:
+      test: ["CMD", "wget", "-O", "-", "127.0.0.1:9091/api/state"]
    labels:
      traefik.enable: true
      traefik.http.routers.authelia.rule: Host(`auth.${PRIVATE_DOMAIN}`)
      traefik.http.routers.authelia.tls.certResolver: le
      traefik.http.routers.authelia.entrypoints: websecure
+      autoheal: "true"

-# whoami-https:
-#   image: containous/whoami
-#   networks:
-#     - web
-#   labels:
-#     traefik.enable: true
-#     traefik.http.routers.wait-https.rule: Host(`wai-https.${PRIVATE_DOMAIN}`)
-#     traefik.http.routers.wait-https.tls.certResolver: le
+  # Homer provides a dashboard for all services. Configured through ./homer/config.yml
+  homer:
+    container_name: homer
+    image: b4bz/homer
+    restart: always
+    volumes:
+      - ./homer:/www/assets
+    environment:
+      UID: 1000
+      GID: 1001
+    networks:
+      web:
+    labels:
+      traefik.enable: true
+      traefik.http.routers.homer.rule: Host(`${PRIVATE_DOMAIN}`) || Host(`www.${PRIVATE_DOMAIN}`)
+      traefik.http.routers.homer.tls.certResolver: le

-# whoami-auth:
-#   image: containous/whoami
-#   networks:
-#     - web
-#   labels:
-#     traefik.enable: true
-#     traefik.http.routers.wai-auth.rule: Host(`wai-auth.${PRIVATE_DOMAIN}`)
-#     traefik.http.routers.wai-auth.tls.certResolver: le
-#     traefik.http.routers.wai-auth.middlewares: auth@file
+  # Dozzle is an easy way to view docker logs through a web interface
+  dozzle:
+    image: amir20/dozzle
+    restart: always
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    networks:
+      web:
+    labels:
+      traefik.enable: true
+      traefik.http.routers.dozzle.rule: Host(`logs.${PRIVATE_DOMAIN}`)
+      traefik.http.routers.dozzle.tls.certResolver: le
+      traefik.http.routers.dozzle.middlewares: auth@file
+
+  analytics:
+    image: gregyankovoy/goaccess
+    volumes:
+      - ./analytics:/config
+      - /var/log/traefik:/opt/log
+    networks:
+      web:
+    labels:
+      traefik.enable: true
+      traefik.http.routers.analytics.rule: Host(`analytics.${PRIVATE_DOMAIN}`)
+      traefik.http.routers.analytics.tls.certResolver: le
+      traefik.http.routers.analytics.middlewares: auth@file
+
+
+# labels:
+#   The following three labels are always needed. Make sure to replace <SERVICE> with a unique name
+#   traefik.enable: true
+#   traefik.http.routers.<SERVICE>.tls.certResolver: le
+#   traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PRIVATE_DOMAIN}`)
+
+#   Alternatives:
+#   traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PUBLIC_DOMAIN}`)
+#   traefik.http.routers.<SERVICE>.rule: Host(`<SERVICE>.${PRIVATE_DOMAIN}`) || HOST(`<SERVICE>.${PUBLIC_DOMAIN}`)
+
+#   Require authentication:
+#   traefik.http.routers.<SERVICE>.middlewares: auth@file
+
+#   If more than one port is exposed by the container:
+#   traefik.http.services.<SERVICE>.loadbalancer.server.port: <PORT>
+
+#   If container uses more than one network:
+#   traefik.docker.network: web
+
+#   Restart automatically if healthchech fails:
+#   autoheal: "true"
--- a/traefik/config/network.yaml
+++ b/traefik/config/network.yaml
@@ -6,10 +6,17 @@ http:
      loadBalancer:
        servers:
          - url: http://192.168.0.1:80
+
    proxmox:
      loadBalancer:
        servers:
-          - url: http://192.168.0.10:8006
+          - url: https://192.168.0.10:8006
+          
+    prusa:
+      loadBalancer:
+        servers:
+          - url: http://192.168.0.14
+          

  routers:
    pfsense:
@@ -19,6 +26,7 @@ http:
        - auth
      tls:
        certResolver: le
+
    proxmox:
      service: proxmox
      rule: Host(`proxmox.{{ env "PRIVATE_DOMAIN" }}`)
@@ -27,3 +35,11 @@ http:
      tls:
        certResolver: le

+    prusa:
+      service: prusa
+      rule: Host(`prusa.{{env "PRIVATE_DOMAIN"}}`)
+      middlewares:
+        - auth
+      tls:
+        certResolver: le
+
--- a/traefik/config/security.yaml
+++ b/traefik/config/security.yaml
@@ -13,7 +13,8 @@ http:
      # Catch all requests to the http entrypoint and redirect them to https
      service: http-catchall
      rule: hostregexp(`{host:.+}`)
-      entrypoint: web
+      entryPoints:
+        - web
      middlewares:
        - redir

@@ -30,7 +31,9 @@ http:
        address: http://authelia:9091/api/verify?rd=https://auth.{{ env "PRIVATE_DOMAIN" }}/
        trustForwardHeader: true
        authResponseHeaders:
-          - X-Forwarded-User
+          - X-Remote-User
+          - Remote-User
+          - X-Remote-Groups
+          - Remote-Groups
        tls:
          insecureSkipVerify: true
-
--- a/traefik/traefik.yaml
+++ b/traefik/traefik.yaml
@@ -1,6 +1,9 @@
 api:
  insecure: true

+serversTransport:
+  insecureSkipVerify: true
+
 providers:
  file:
    directory: /data/config
@@ -9,7 +12,11 @@ providers:

 log:
  filePath: /data/traefik.log
-  level: DEBUG
+  level: INFO
+  # level: DEBUG
+
+accessLog:
+  filePath: /log/access.log

 entryPoints:
  web:
@@ -20,7 +27,9 @@ entryPoints:
 certificatesResolvers:
  le:
    acme:
-      email: '{{ env "EMAIL" }}'
+      # email: SET BY ENV VARIABLE TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL
      storage: /data/acme.json
      httpChallenge:
        entrypoint: web
+      # UNCOMMENT NEXT ROW FOR EXPERIMENTATION
+      # caServer: https://acme-staging-v02.api.letsencrypt.org/directory
Author	SHA1	Message	Date
Thomas Lovén	ead848575f	Add analytics. Invert gitignore	2021-12-04 23:13:12 +01:00
Thomas Lovén	4d87b20740	Add links to other repos	2021-09-05 16:22:51 +02:00
Thomas Lovén	fe64c0e4c5	Some comments	2021-09-03 10:59:26 +02:00
Thomas Lovén	7fb637509b	Add network description to readme.	2021-08-21 23:29:17 +02:00
Thomas Lovén	71a8127105	Update readme	2021-08-21 23:14:25 +02:00
Thomas Lovén	f0709ed83b	Update traefik configuration. Add octoprint link.	2021-08-21 23:10:46 +02:00
Thomas Lovén	fb3b89079c	Simplify authelia config. Add dozzle for log viewing.	2021-08-21 22:51:25 +02:00
Thomas Lovén	e8cd50c857	Add Homer dashboard	2020-08-04 15:07:48 +02:00
Thomas Lovén	5d1b7c06c6	Fix authelia login redirection	2020-01-27 17:02:30 +01:00